Opieaccess file, is this normal?

Didier Wiroth didier.wiroth at mcesr.etat.lu
Tue Jun 22 08:56:21 PDT 2004 

Hi,

I'm trying to setup one-time passwords on freebsd5.2.1


>From what I've read so far, if the user is present in opiekeys, the
opieaccess file determines if the user (coming from a specific host or
network) is allowed to use his unix password from this specific network. 

As my opieaccess file is empty and the default rule (as mentionned in the
man file) is deny, I should not be able to get an ssh shell with my standard
unix password.

I've made a test on test machine running ssh (version sshd version
OpenSSH_3.6.1p1 FreeBSD-20030924).

The opiekey contains one user, me actually.
The opieaccess file is empty so (by default) unix password should not be
allowed when connecting through ssh.

I enter a few times "enter" and sshd switches to the next authentication
method "password".
Now I can enter my standard password and I'm logged in, even if I should
only be allowed to use the opie passwords. 

Why? Isn't this a bug? 

Here is the ssh -v output:

debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/didier/.ssh/identity
debug1: Trying private key: /home/didier/.ssh/id_rsa
debug1: Trying private key: /home/didier/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
otp-md5 300 pw9999 ext
Password:
otp-md5 300 pw9999 ext
Password [echo on]:
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
otp-md5 300 pw9999 ext
Password:
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
otp-md5 300 pw9999 ext
Password:
debug1: Authentications that can continue:
publickey,password,keyboard-interactive
debug1: Next authentication method: password
didier at localhost's password:
debug1: Authentication succeeded (password).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: channel 0: request pty-req
debug1: channel 0: request shell
debug1: channel 0: open confirm rwindow 0 rmax 32768

Thanks a lot

More information about the freebsd-security mailing list